PRIVACY POLICY PHISHED.IO

Version 2024-08


Phished BV undertakes to process your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (hereinafter "GDPR") and other applicable legislation.

1. The Controller

Phished BV (hereinafter referred to as 'Phished', 'we', 'us' or 'our') with registered office at Bondgenotenlaan 138, 3000 Leuven, Belgium and with registration number 0735.908.019, is the controller for the processing of your personal data for the purposes as described in this data protection policy.

2. Contact details

If you would like to contact us regarding this policy, you can do so by sending an email to our DPO: [email protected].

If you contact us because you wish to exercise one of your rights (see section 8), please clearly indicate which right you wish to exercise. Please be as specific as possible when exercising your rights.

3. The personal data we process

Depending on your role or capacity, we collect the following data:

  • Customers (and their representatives): general identifiers (such as name, title/position, address, mobile phone or phone number, email, assigned identifiers), financial identifiers (such as identification and bank account numbers), financial transactions (such as amounts paid or payable), fees, professional activities (including the business, the nature of the activity, the nature of the goods/services used, business relationships), contracts and agreements with Phished, all other personal data that has been lawfully provided to Phished. The source of this personal data is you or your employer.
  • Partners (and its representatives): general identifiers (such as name, title/position, address, mobile phone or telephone number, email, assigned identifiers), financial identifiers (such as identification and bank account numbers), financial transactions (such as amounts paid or payable), fees, professional activities (including the business, the nature of the activity, the nature of the goods/services used, business relationships), contracts and agreements with Phished, all other personal data that has been lawfully provided to Phished. The source of this personal data is you or your employer.
  • Prospects (and their representatives): general identification data (such as name, title/position, address, mobile phone or telephone number, e-mail), professional activities (including the nature of the activity, the nature of the goods/services used, business relationships), all other personal data that has been lawfully provided to Phished. The source of this personal data is you or your employer.
  • Suppliers (and their representatives): general identifiers (such as name, title/position, address, mobile phone or telephone number, email, assigned identifiers), financial identification data (such as identification and bank account numbers), financial transactions (such as amounts paid or payable), fees, professional activities (including the nature of the activity, the nature of the goods/services used), contracts and agreements with Phished, all other personal data that has been lawfully provided to Phished. The source of this personal data is you or your employer.
  • Job applicants: all personal data that has been lawfully provided to Phished (such as a CV and/or cover letter);
  • Website visitors: personal data collected via cookies (see our cookie policy);
  • Social media users: advertising through the personal data users provide via social media channels.

In the performance of its activities, Phished can also act as a processor of your personal data (for example, when sending a phishing simulation to a target group specified by our customer). In this case, the processing of personal data by Phished, as a processor, is part of the agreements between Phished and the controller(s)/our customer. These processing activities are not included in this privacy policy. In this context, we refer to the privacy policy for end users.

If you provide us with personal data from a third party, such as your staff, freelancers, customers, suppliers, partners, you guarantee to Phished that you (a) have lawfully obtained such personal data from the third party and have lawfully provided it to Phished, (b) have provided Phished with personal data that is accurate and up-to-date and (c) have provided the said person with relevant information about the existence and content of this policy.

4. Purposes

You are not obliged to share your personal data with us, but if you do not share the requested personal data with us, we may not be able to provide you with the requested services and/or products. We process the personal data for the following purposes:

  • 4.1. Execution of the agreement: the creation of a personal account and/or profile, the correct execution and fulfilment of the agreements (including communications), invoicing, customer service and support (so that we can help you with questions and/or problems).
  • 4.2 Purchases via website: the correct execution of and compliance with the agreements regarding purchases via the website (including communications), the processing of orders and any after-sales service, invoicing.
  • 4.3 Direct marketing: the sending notifications via email and/or newsletters. If you no longer wish to receive these messages, you can use the opt-out provided. After that, you will no longer receive the unsolicited direct marketing messages and we will no longer process your personal data for these direct marketing purposes.
  • 4.4. Applicant Management: to assess applicants' suitability for open positions, for recruitment, selection and, where applicable, the drafting of an employment contract.
  • 4.5. Necessary for the functioning of our company: to improve and optimize our services (e.g. by means of cookies and advertisements via social media), to maintain and improve the website (e.g. by means of cookies), to ensure the security of our website and services, to prevent misuse or improper use of our services, to store personal data as evidence or for the purpose of legal proceedings, administrative or out-of-court procedures, to store personal data for the purpose of obtaining or maintaining insurance coverage, managing risks or seeking expert advice, to store personal data to ensure attendance at / participation in events.
  • 4.6. To comply with legal obligations (e.g. in relation to anti-money laundering and counter-terrorism legislation).

5. Lawful basis for the processing activities

The processing of personal data under sections 4.1 and 4.2 is based on the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract.

The processing of personal data of prospects under section 4.3 and the processing of personal data by means of cookies (other than strictly necessary and functional cookies) under section 4.5 is based on the consent of the data subject.

The processing of customer personal data under Section 4.3 and for the first contact with prospects, as well as the other processing of personal data under Sections 4.4 and 4.5 is based on our legitimate interests (only when the legitimate interest of our business overrides the interests of the data subjects). The interests are set out in sections 4.3 - 4.5.

The processing of personal data under section 4.6 is necessary for compliance with a legal obligation to which we are subject.

6. Sharing your personal data with third parties/international transfers

We only provide relevant aspects of personal data to third parties if those parties are contractually bound to Phished or act on behalf of or under contract with Phished. Of course, we have made agreements with these parties about the protection of your personal data.

Phished may disclose personal data when this is necessary to comply with a legal obligation to which we are subject, or to protect (vital) interests. We may also disclose the personal data when such disclosure is necessary for the establishment, exercise or defence of legal claims, in legal proceedings or in administrative or out-of-court proceedings.

We do not provide personal data to companies outside the European Economic Area, unless there is an adequacy decision or standard clauses, appropriate safeguards, binding corporate rules or exchanges as referred to in Article 49 (1) GDPR.

In the event of a total or partial reorganization, merger, demerger, acquisition or sale of assets, we are entitled to transfer personal data to the relevant third party.

You accept that personal data that you submit for publication through our website or services may be available worldwide via the Internet. We cannot prevent the use (or misuse) of such personal information by others.

7. Storage and deletion of personal data

We only retain personal data for as long as necessary to achieve the purpose set out above. Because the retention period depends on the purpose, but also on the type of personal data, these retention periods vary.

8. Your data protection rights

Your requests regarding the exercise of your data protection rights should be addressed to [email protected].

For your informational purposes and for the sake of clarity, we have summarised your rights under the GDPR in this section. Because some of these rights are complex, not all of the details are included in this summary. Therefore, you can read the relevant laws and regulations for a full explanation of these rights or contact the Data Controller.

In order to exercise your rights, you must also provide sufficient proof of your identity. In this context, we recommend that you attach a secure copy of your personal data to your request. A protected copy involves blurring all non-essential information and adding a watermark. This watermark should include the purpose of the copy, the recipient, and the date of issue. The only information necessary is your name (so all other information can be blurred).

  • Right of access: you have the right to be informed about whether your personal data is being processed by us, and, if so, to access the personal data, together with the additional information mentioned in Article 15 of the GDPR. If the protection of the rights and freedoms of others is not affected, we will provide you with a copy of your personal data.
  • Right to rectification: you have the right to have inaccurate and/or incomplete personal data corrected and/or completed.
  • Right to erasure: You have the right to have your personal data erased in the circumstances mentioned in Article 17 (1) GDPR, such as when you withdraw your consent to consent-based processing or object to processing for direct marketing purposes.
    Phished will then delete your personal data without undue delay, unless the exclusions mentioned in Article 17 (3) GDPR apply. For example, Phished does not have to delete your data if the processing is necessary to comply with a legal obligation.
  • Right to restriction of processing: you have the right to restrict the processing of your personal data in the circumstances mentioned in Article 18 (1) GDPR, such as if you contest the accuracy of the personal data.
  • Right to data portability: You have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format and to transmit such data to another controller if (a) the processing is based on consent or is necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into a data contract, and (b) such processing is automated. However, this right does not apply if it would harm the rights and freedoms of others.
  • Right to withdraw consent: insofar as the processing ground for the processing of your personal data by Phished is based on consent, you have the right to withdraw this consent at any time. The withdrawal of consent does not affect the lawfulness of the processing prior to its withdrawal.
  • Right to lodge a complaint with the supervisory authority: we always encourage you to forward any questions, comments or complaints you may have regarding the processing of your personal data in accordance with section 8. In any case, and in particular if you do not agree with Phished's position regarding a complaint/request or the way in which your request was handled (for example, if you believe that our processing of your personal data violates data protection legislation or if you have comments about the use of your personal data), you have the right to the right to lodge a complaint with the competent supervisory authority, including the Belgian Data Protection Authority (online or by sending a letter to the Data Protection Authority with address Drukpersstraat 35, 1000 Brussels).
  • Right to object to processing: You have the right to object to the processing of your personal data by Phished for direct marketing purposes at any time. You can do this via the 'opt-out' option. After that, you will no longer receive the unsolicited direct marketing messages, and we will no longer process your personal data for these direct marketing purposes. If the processing of your personal data is necessary for another purpose, you may of course still receive communications in the context of this purpose.
    You also have the right to object to the processing of your personal data by Phished based on Article 6 (e) or (f) GDPR on grounds related to your situation. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate/lawful grounds for the processing which override your interests, rights and freedoms, or the processing is necessary to establish, exercise or defend legal claims.

In addition, you have the right to object to our processing of your personal data for scientific, historical or statistical (research) purposes on grounds relating to your situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

9. Cookies

You can read more about our use of cookies at the following link.

10. Updates

Phished reserves the right to make changes and/or updates to this privacy policy to take into account technological advancements, changes in laws and regulations and good business practices.

END USER PRIVACY POLICY

Version 2025-04

Phished BV (hereinafter "Phished", "we", "us" or "our") undertakes to process your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (hereinafter "GDPR") and other applicable legislation.

Phished processes your personal data for and on behalf of its customer, the organization that will use our services. Phished therefore qualifies as a processor of your personal data; and qualifies the customer as a data controller.

The controller may have its own privacy policy/data protection policy regarding the processing of your personal data by Phished, in which case the policy of the controller should be read in conjunction with this policy. In the event of a conflict, the controller's policy will take precedence (as certain specific arrangements may have been made between you and the controller).

1. The Data Controller

Your organisation/employer/designator (hereinafter referred to as "the Controller") has appointed you as part of the target audience of end users of the following services (hereinafter "Services"), which are provided by Phished:

  • the creation of a Phished user account of the employees of the Controller (in the broadest sense of the word, hereinafter referred to as "Employees");

  • carrying out simulated phishing attacks on the Controller's logged-in Employees (and the Controller's systems);

  • training employees through e-learning;

  • the automatic delivery (via web portal) of detailed reports with regard to the results of this.

The Controller and Phished have entered into an agreement on the performance of these Services

2. The Processor

Phished BV, with registered office at Bondgenotenlaan 138, 3000 Leuven, Belgium and company number 0735.908.019, is the processor for the processing of your personal data with a view to the performance of the Services.

3. Contact details

If you would like to contact us about this data protection policy, please contact us by email to our DPO: [email protected].

If you wish to exercise any of your rights (see point 8), we kindly ask you to contact the Data Controller.

4. The personal data we process

We process the following categories of your personal data:

  • name

  • e-mail address;

  • language;

  • open/click/report behavior and results regarding the Phished Academy and phishing simulations.

Optionally, we also process the following categories of personal data:

  • department and/or function within the company;

  • geographical location of the company and/or establishment where you are employed;

  • mobile phone or phone number;

  • e-mail data relating to reported e-mails, depending on the settings in the Controller's Phished account:

  • If the Data Controller chooses the option "handle reports in application" or "handle reports in application & forward reports to email" in their Phished account and possible phishing emails are reported:

  • via the Phished Report Button in Gmail: Phished only processes the body of Gmail messages (incl. attachments), metadata, headers, and settings, to identify an email as a phishing simulation of Phished or as a potential phishing threat when reported via the Phished Report Button. This data will be encrypted and the processing will also comply with the Google API Services User Data Policy, including restricted use requirements.

  • via the Phished Report Button in Outlook: Phished will only process Outlook message bodies (incl. attachments), metadata, headers and language settings, to identify an email as a phishing simulation of Phished or as a potential phishing threat when reported via the Phished Report Button. This data is encrypted.

  • by forwarding them: Phished will only process the message bodies (incl. attachments) and headers to identify an email as a phishing simulation of Phished or as a potential phishing threat when it is forwarded. This data is encrypted.

  • If the Controller has chosen the option "forward reports to e-mail" in the Phished account and when any phishing e-mails are reported to Phished via the Phished Report Button in Gmail or Outlook or by means of forwarding, Phished will not process these e-mails.

This data is provided to us by the Controller, who (a) has lawfully obtained such personal data from you and has lawfully provided it to Phished, (b) Phished has provided personal data that is accurate and up-to-date, and (c) will provide you with relevant information about the processing activities.

5. Purposes and lawful basis for processing

We process the personal data because it is necessary for the performance of the Services (lawful basis for processing). In this context, we process your personal data for the following purposes on behalf of the Data Controller:

  • making the Phished software available in accordance with the agreements between Phished and the Controller (including, but not limited to, creating a user account for you and ensuring the proper functioning of the Phished software);

  • raising awareness of the dangers of phishing through the Phished software and tracking the users of the software, including (but not limited to):

  • Sending and receiving communications via email, SMS, or voice message (depending on settings) (e.g., phishing simulation notification or a suspected real phishing email).

  • These do not constitute direct marketing. However, if you no longer wish to receive these communications, you should contact the Data Controller. Only the Controller can instruct us to stop this e-mail traffic. However, we do not recommend this to the Controller, as you (as a user) will no longer benefit from our training and the Controller will benefit best from training if as many of its Employees as possible participate. This is because the Controller invokes its legitimate interest, which allows it, subject to a correct weighing of interests, to reject your request.

  • Making available the reporting of e-mails to determine whether it concerns phishing simulations sent by Phished, as well as any threats of real phishing e-mails.

  • Organizing continuous performance management: keeping track of personal goals, 1-on-1s and feedback for you.

  • Continuously measuring engagement through the Phished Academy, for example based on the training sessions (including a set of questions) of Phished or a self-chosen set of questions or training session of the Controller.

  • Storaging of phishing results.

  • Keeping phishing results available to the Controller via statistics.

  • Continuously modifying the phishing simulations.

Phished will not process your personal data for purposes other than for the performance of the Services and/or for the fulfilment of the responsibilities laid down in the agreement between Phished and the Controller. Phished will only process your personal data on behalf of the Controller and in accordance with the documented instructions of the Controller.

6. Sharing the personal data with others/international transfers

We only disclose relevant aspects of personal data to third parties if those parties are contractually bound to Phished or act on behalf of or under contract with Phished. Of course, we have made agreements with these parties about the protection of your personal data. The Data Controller has been informed of these third parties via the agreement we’ve concluded with them.

Phished may disclose personal data when this is necessary to comply with a legal obligation to which we are subject, or to protect (vital) interests. We may also disclose the personal data when such disclosure is necessary for the establishment, exercise or defence of legal claims, in legal proceedings or in administrative or out-of-court proceedings.

We do not provide personal data to companies outside the European Economic Area, unless there is an adequacy decision, standard clauses, appropriate safeguards, binding corporate rules or transfers as referred to in Article 49(1) of the GDPR.

In the event of a total or partial reorganization, merger, demerger, acquisition or sale of assets, we are entitled to transfer the personal data to the relevant third party.

7. Storage and deletion of personal data

The personal data will be kept for the duration of the contract between Phished and the Controller and will be deleted after12 months of inactivity after termination of your account. Unless otherwise agreed between Phished and the Controller, we may further use anonymized aggregated data, which is not personal data, to improve our services.

In any case, the Controller may contact us at any time regarding a request to anonymise or delete certain personal data (for example, if you no longer work for the Controller). If you wish to have your data deleted, you must contact your Data Controller (in conformity with point 8).

8. Your data protection rights

Your requests regarding the exercise of your data protection rights should be addressed to the Data Controller, who is responsible for handling this request. These will not be handled by Phished under any circumstances, unless we’ve been explicitly instructed by the Controller.

For your information and clarity, we have summarised your rights under the GDPR in this section. Because some of these rights are complex, not all of the details are included in this summary. Therefore, you can read the relevant laws and regulations for a full explanation of these rights or contact the Data Controller.

To exercise your rights, you must provide sufficient proof of your identity. In this context, we recommend that you attach a secure copy of your personal data to your request. A protected copy involves blurring all non-essential information and adding a watermark. This watermark should include the purpose of the copy, the recipient, and the date of issue. The only information necessary is your name (so all other information can be blurred).

  • Right of access and a copy of your personal data: you have the right to be informed about whether your personal data is being processed by the Data Controller and, if so, to access this personal data, together with the additional information mentioned in Article 15 of the GDPR. If the protection of the rights and freedoms of others is not affected, the Data Controller will provide you with a copy of your personal data.

If you request a copy of the data of your data processed by Phished, you must address this request to your Controller. We inform you that, if we receive your request via the Data Controller, we can only provide a copy of the following personal data:

  • Your name;

  • Your e-mail address;

  • The unique number associated with your user account (UID).

All other categories of personal data (see above) are encrypted for Phished (where the encryption key is managed by a third party). Therefore, we cannot reasonably provide you with a copy of this data. However, the Controller can provide a copy of this.

This is part of the principle of 'Security by Design', as our platform is structured in such a way that the personal data that Phished can consult is limited to what is strictly necessary.

  • Right to rectification: you have the right to have incorrect and/or incomplete personal data corrected and/or supplemented.

  • Right to erasure: you have the right to have your personal data erased in the circumstances mentioned in Article 17(1) of the GDPR, such as when you withdraw your consent to processing based on consent.

Please note that your personal data has not been collected for the use of the Services by the Data Controller based on your consent, but based on their legitimate interest.

  • Right to restriction of processing: you have the right to restrict the processing of your personal data in the circumstances set out in Article 18(1) GDPR, for example in the event that you contest the accuracy of the personal data.

  • Right to data portability: you have the right to receive the personal data concerning you that you have provided to the Data Controller in a structured, commonly used and machine-readable format and to transmit this data to another Data Controller if (a) the processing is based on consent or is necessary for the performance of a contract to which you are a party or to take steps at your request. prior to entering into a contract, and (b) this processing is automated. However, this right does not apply where it would harm the rights and freedoms of others.

In the admin manual, which is made available by Phished to the Controller, the Controller can find for which data such an export is possible.

  • Right to withdraw consent: To the extent that the lawful basis for the processing of your personal data is consent, you have the right to withdraw this consent at any time. The withdrawal of consent does not affect the lawfulness of the processing prior to its withdrawal.

  • Right to file a complaint with the supervisory authority: we always encourage you to forward any questions, comments or complaints you may have regarding the processing of your personal data to your Data Controller. In any case, in particular if you do not agree with the position of your Controller and/or Phished in response to a complaint/request or the way in which your request was handled by (for example, if you believe that our processing of your personal data violates data protection legislation or if you have comments about the use of your personal data),  the right to lodge a complaint with the competent supervisory authority, including the Belgian Data Protection Authority (online or by sending a letter to the Data Protection Authority with address Drukpersstraat 35, 1000 Brussels).

  • Right to object to processing: You have the right to object to the processing of your personal data for direct marketing purposes at any time, as long as the exclusions mentioned in Article 17(3) GDPR do not apply (for example, if the processing is necessary to comply with a legal obligation).

You also have the right to object to the processing of your personal data based on Article 6 (e) or (f) GDPR on grounds relating to your particular situation. In addition, you have the right to object to the processing of your personal data for scientific, historical or statistical (research) purposes on grounds relating to your particular situation.

9. Cookies

You can read more about our use of cookies via the following link.

10. Updates

Phished reserves the right to make changes and/or updates to this Data Protection Policy to take into account technological advancements, changes in laws and regulations and good business practices.